Hello. Welcome to the NIST 800-171 learning path. My name is [inaudible], I'll be your instructor for this class. This is course, understanding and implementing the 110 NIST 800-171 requirements. As you can see from the agenda, we've got a lot of ground to cover in this particular course. There are 14 requirements families. You'll probably hear me use the term requirements interchangeably with controls. I've tried to stop doing that, but it's bad habit I've picked up on and I can't help myself. If you hear me say controls, I mean the same thing as requirements. I don't want to confuse you during this particular course. In this course we'll do a quick overview and then we'll look at each one of the requirements families including access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, systems and communication protection, and system and information integrity. Let's take a quick look at the overview. There are 14 requirements families that I mentioned. These comprise the NIST 800-171 R2 standard. The 14 families contain 110 individual controls or requirements. When you go to implement these 110 requirements, you can do it with your own internal team. You can work with a managed service provider or perhaps some hybrid approach where your team handle some and an MSP handle some. The good news is, again, these are non-prescriptive. NIST doesn't tell you exactly how to achieve compliance with each of these requirements which means there are a variety of different solutions you may be able to implement in your organization to comply with any particular requirement. This points out in some cases, there are alternative but equally effective measures that you might be able to implement to be in compliance with any particular requirements. Each requirement has a discussion session that helps explain it. According to NIST, "The discussion section associated with each CUI requirement is informative but not normative. It's not intended to extend the scope of requirement or to influence the solutions organizations may use to satisfy the requirement. In addition, the use of examples as notional, not exhaustive, and not reflective of potential options available to organizations." Let's unpack that a little bit. First off again, these pertain to the protection of CUI. If you sculpt your systems correctly, if you segmented them in such a way that CUI is only in a limited portion of your environment, then you only have to worry about applying these 110 controls to the portions of your environment that contains CUI. As they say, these are informative, not normative. Again, they're not prescriptive. They're giving you guidance in this discussion section that tells you different ways you might do about being in compliance with these controls. They say it's not intended to extend the scope of a requirement or influence the solutions. In other words, you can come up with your own solutions. Again, this is merely guidance. In addition, the use of examples is notional, not exhaustive. They're not listing every possible way that they could come up with that you could be in compliance with these requirements and again, not reflective of potential options. They're giving you some guidance, they're making some suggestions, they're helping you along, but they're not telling you exactly what you need to do. You may come up with unique ways in your organization including alternative but equally effective measures to be in compliance with one or more particularly requirements. Then again, these requirements only apply to non-federal systems that process or transmit CUI. Let's take a look at the 14 requirement families again. They are access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, systems and communication protection, and system and information integrity. Again, most of these terms are probably not new if you've worked in IT. Most of these are things that you're probably already doing in your organization to some extent. Hopefully to a large extent, which will of course then reduce the amount of work you need to do to be in compliance with all 110 requirements. That pretty much wraps it up for the overview. Thanks for watching and I will see you in the next video.
